I work in an office in the UK with about 120 staff.
We all have access to the "public drive" which is a LAN for us to share work. There's also thing on there like pics from the Christmas party, etc. It's pretty big.

A colleague recently told me that he found a folder full of every employee's resume/CV. Some he didn't recognise, so they must be people who applied and didn't get a job. He also told me things about other people's previous work.
I'd also heard another colleague say that he once found his own interview feedback, with comments and everything.

Does this breach data protection laws?

I should note that my line of work makes in necessary for my employees to know my phone number, though probably not my address. But what about the other bits of information. Fair enough its not personal data, but isn't it unfair to have this public?

Note: I'm not asking if the person who found this information committed a data breach, but if the company did by putting it on the public drive in the first place.

This question appears to be off-topic. The users who voted to close gave this specific reason:

"Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, Jim G., Twyxz, jimm101, Michael Grubey

Are comments/feedback also personal? Ive just found a spreadsheet with some current employers name on. Comments include "Came across enthusiastic. Did well on case study" etc. These look like internal comments. Not necessarily passed on to the candidate
– OnlineUser02094Sep 17 '18 at 11:18

@OnlineUser02094 This is not personal information however should still be kept private from other employees
– TwyxzSep 17 '18 at 11:22

Update: I only went through stuff with peoples name I didnt recognise to respect the colleagues I know, and I only skimmed through so that I can see what kind of information is on there. I have since reported it to one of the I.T. managers who said they will remove it.
– OnlineUser02094Sep 17 '18 at 18:39

3

This is absolutely not company-specific
– Aidan ConnellySep 28 '18 at 13:21

2 Answers
2

First, to answer your question of whether this is a data breach, it absolutely is per GDPR. The GDPR definition of a "personal data breach" is the below. Personal data is defined broadly to include data that identifies a natural person using elements such as name and factors specific to the economic identity of a person. I interpret "economic" to include employment history.

You have not asked for this, but I will share with you some best information security best practices that hopefully can mitigate a similar incident occurring in the future.

Least privileged access

Least privileged access means that only people who need access to a particular asset (such as this data) to perform their job are granted access. Apparently in this case, this best practice was not followed because users having no legitimate business need obtained access to highly sensitive data they should not have had access to. You probably do not know for certain how long this data was exposed on the network share, and whether this data was already exfiltrated / otherwise misused.

Going forward after this incident, it is probably worthwhile to perform a through access review of users and exactly what access they have to data. To go along with this activity, designate a limited number of data custodians whose duty it is to safeguard access to such data. To obtain management buy - in, you can use this incident and its potential impact to company (fines, lawsuits etc.). Assuming management is rational and reasonable, they should care.

Data labelling and classification

It is best security practice to classify data based on its sensitivity, with one consideration of sensitivity being the potential adverse impact if it were to be compromised (as it was in your case). Your company is fairly small now at 120 employees, but as it expands, maintaining proper governance of data will tend to be more important. Depending on your standing and role in the company, suggesting improving the classification of data may be something to explore with company management / your manager.

This does not have to complex effort, and a data classification scheme as simple as public vs confidential data may suffice. Regardless any decisions should be documented and signed off on by management in a policy document made known to all stakeholders.

Security incident response and data exfiltration detection

In this case, the security incident was brought to your attention by your colleague. Informal methods of notification may work when organizations are immature, but as companies grow, it's almost always beneficial to establish formal procedures for identifying, containing, remediating, and reporting security incidents to company management from my work experience. As part of the security incident response procedures, there should be means, such as DLP, to detect the unauthorized transmission or disclosure of company data.

Encryption of sensitive data

Depending on your threat model, the value of this data to management, and technological capability of your company IT, you may want to think about encrypting such sensitive data, so even if individuals gain unauthorized access to it, they cannot read it. If you decide to go this route, below are some best implementation practices:

Use a secure encryption protocol such as AES or RSA using a long private key length to make decryption by malicious actors as difficult as possible.

Establish procedures and controls to safeguard the decryption key such as through split knowledge or control

Rotate the encryption / decryption key periodically or whenever you suspects its compromised

Keep access to the encryption key to the minimum number of custodians that need access to it to perform their job duties.

As you are based in the UK this is a huge issue for your company especially with the new GDPR changes.

Any personal information should be protected including, Address, Phone Numbers and even any employment history.

Other employees should most definitely not be able to access personal comments, interview comments and especially not personal details that should be secure. Report this to your manager/HR straight away otherwise you're going to have a massive issue if any of this is released outside of the company...

As you mentioned you can see the comments/feedback on a spreadsheet. Although not personal... This could cause some other potential issues within the company e.g. bullying, complaints and just unnecessary discussion in general.

@AdzzzUK No, the IT team has already failed. Report to legal / HR and CC someone high up.
– rathSep 17 '18 at 11:48

6

@rath, the IT team need to take immediate action by locking the folder permissions down tight and immediately preventing anyone else from gaining access to the folders. That needs to happen immediately. Also, the HR team have been part of the breach by storing the data in this folder themselves and potentially assuming that only they could see it. I do agree that HR and up the chain should be informed however.
– AdzzzUKSep 17 '18 at 11:56

5

@rath I wouldn't say the IT team failed. There is a good chance they have no idea whats on the network drive. They were probably told we need network storage. This is an issue with whoever put them not, not the IT department.
– SaggingRufusSep 17 '18 at 14:01

4

Its probably worth mentioning that we are an I.T. firm lol it has since been reported.
– OnlineUser02094Sep 17 '18 at 18:41

2

The company will 100% be legally required to report this to the relevant overseeing agency. This is a pretty massive breach. Personal data about employment history is especially sensitive anyways.
– MagischSep 18 '18 at 6:17